Hello Daniel and all, When I was using TLS encryption for VM live-migration, I noticed one thing: the migration works regardless of the "endpoint" setting (that is: either "endpoint=server", or "endpoint=client") on the target server. The line I added is: "-object tls-creds-x509,id=tls0,dir=/path/to/qemutls,endpoint=client (or server),verify-peer=on".
It seems that currently the setting of "endpoint" is not strictly enforced for VM migration. I'd like to know, if it's intentionally done to allow a certain flexibility, or should be fixed from the security perspective. Thank you very much! Best regards, Yu Zhang @ IONOS cloud On Mon, Aug 21, 2023 at 4:29 PM Yu Zhang <yu.zh...@ionos.com> wrote: > > Hello Daniel, > > sorry for my slow reply! I tested the approach you suggested by the > following way: > > On the target server, start a VM in -incoming mode: > > qemu-7.1 \ > -uuid ${VM_UUID} \ > ... > -object tls-creds-x509,id=tls0,dir=${HOME}/qemutls,endpoint=server \ > ... > -incoming defer \ > -qmp unix:${SOCK},server,nowait \ > -qmp unix:${SOCK},server,nowait & > > Set the migrate parameter and waiting for the incoming VM from source: > > echo '{"execute":"qmp_capabilities"}{ "execute": > "migrate-set-parameters", "arguments": { "tls-creds": "tls0" }}' | > sudo nc -U -w 1 ${SOCK} > echo '{"execute":"qmp_capabilities"}{ "execute": "migrate", > "arguments": { "uri": "tcp::8089" }} > > in HMP: > (qemu) migrate_set_parameter tls-creds tls0 > (qemu) migrate_incoming tcp:[::]:8089 > > On the source server, start a VM: > > qemu-7.1 \ > -uuid ${VM_UUID} \ > ... > -object tls-creds-x509,id=tls0,dir=${HOME}/qemutls,endpoint=client \ > ... > -qmp unix:${SOCK},server,nowait \ > -qmp unix:${SOCK},server,nowait & > > Set the migrate parameter and migrate the VM from source to target: > > echo '{"execute":"qmp_capabilities"}{ "execute": > "migrate-set-parameters", "arguments": { "tls-creds": "tls0" }}' | > sudo nc -U -w 1 ${SOCK} > echo '{"execute":"qmp_capabilities"}{ "execute": "migrate", > "arguments": { "uri": "tcp:10.41.19.32:8089" }} > > and query the migration after a few seconds: > > echo '{"execute":"qmp_capabilities"}{ "execute": "query-migrate" }' | > sudo nc -U -w 1 ${SOCK} > > the migrate is completed successfully. > > To further migrate the VM from source (the target for the previously > migration), the endpoint must be changed from "server" to "client" by > QMP commands: > > echo '{"execute":"qmp_capabilities"}{ "execute": "object-del", > "arguments": { "id": "tls0" }}' | sudo nc -U -w 1 ${SOCK} > echo '{"execute":"qmp_capabilities"}{ "execute": "object-add", > "arguments": { "id": "tls0", "qom-type": "tls-creds-x509", "endpoint": > "client", "dir": "${HOME}/qemutls", "verify-peer": false }}' | sudo nc > -U -w 1 ${SOCK} > > which in HMP commands are: > > (qemu) object_del tls0 > (qemu) object_add tls-creds-x509,id=tls0,dir=${HOME}/qemutls,endpoint=client > (qemu) migrate_set_parameter tls-creds tls0 > (qemu) migrate tcp:10.41.16.10:8089 > > So far as I tested, the TLS certificate must be valid for at least one > day. Therefore, the VM migration with an expired TLS certificate can > only be done in one day. > > Thank you so much for your kind reply! > Best regards > > Yu Zhang @ IONOS Compute Platform > > On Thu, Aug 17, 2023 at 12:49 PM Daniel P. Berrangé <berra...@redhat.com> > wrote: > > > > On Mon, Aug 07, 2023 at 12:07:31AM +0200, Yu Zhang wrote: > > > Hi all, > > > > > > According to qemu docs [1], TLS parameters are specified as an object in > > > the QEMU command line: > > > > > > -object tls-creds-x509,id=id,endpoint=endpoint,dir=/path/to/cred/dir > > > ... > > > > > > of which "endpoint" is a type of "QCryptoTLSCredsEndpoint" and can be > > > either a "server" or a "client". > > > > > > I'd like to know: > > > > > > - When a VM is started with this config, is there a way (e.g. QMP) to > > > change the value of "endpoint"? > > > If possible, how to do this? or else after the first migration of a VM, > > > the VM has "endpoint=server", > > > which can't be migrated without stop / start. > > > > Use object_del + object_add to delete the old credentials and > > create new ones. > > > > > - In which case does the QEMU reload its TLS certificate, e.g. when a QEMU > > > VM has been run longer > > > than the valid period of its TLS certificate? > > > > The certs are loaded at the time the incoming/outgoing migration > > operation is initiated, so they are always fresh. > > > > > - The migration is done by using HMP monitor on both source and target > > > side. Is it possible to do it > > > by using QMP commands? > > > > Almost everything in HMP has an equivalent QMP command. > > > > > > With regards, > > Daniel > > -- > > |: https://berrange.com -o- https://www.flickr.com/photos/dberrange > > :| > > |: https://libvirt.org -o- https://fstop138.berrange.com > > :| > > |: https://entangle-photo.org -o- https://www.instagram.com/dberrange > > :| > >